An attacker pushed two malicious commits to the PHP source code Git server on Sunday, adding a backdoor, which was quickly removed.